Doctor Web uncovered a Windows-focused campaign using Trojan.Fruity.1, a modular downloader that can deploy Remcos RAT or other malware. The attack employs fake installers, multi-stage infection, steganography, and anti-detection tricks to increase success. #TrojanFruity1 #RemcosRAT #TrojanInject4_57973
Keypoints
- Trojan.Fruity.1 is a multi-component downloader that enables threat actors to install Remcos RAT or other payloads.
- Attack vectors include malicious websites and specifically crafted installers that redirect victims to MEGA to obtain a zip containing the trojan package.
- Legitimate programs are repurposed as trojan modules, with components stored in files such as python39.dll and launched via a signed Python interpreter.
- The infection unfolds in multiple stages, starting with decryption and loading of payload data, followed by staged payload delivery and execution.
- Steganography is used to hide executables and shellcode inside fruit.png, enabling covert payload extraction and execution.
- The malware employs anti-detection techniques (anti-virus bypass and anti-debugging) and uses process injection methods (including hollowing and doppelgänging) to persist and execute.
MITRE Techniques
- [T1189] Drive-by Compromise – Malicious websites and decoy installers used to lure victims; ‘When a visitor tries to download an app from a fake site, they are redirected to the MEGA file hosting service webpage, which offers them a zip file, containing a trojan installer package.’
- [T1204.002] User Execution: Malicious File – Victim extracts the executable from the archive and launches it; ‘Once all the components are extracted from the installer, a multi-stage infection process of the target system begins.’
- [T1218] Signed Binary Proxy Execution – The trojan was implanted into a legitimate binary and launched by a signed interpreter; ‘launched by the python.exe interpreter with a valid digital certificate.’
- [T1055] Process Injection – The injected library is injected into a target process to execute payload; ‘the .dll file decoded in the previous stage is patched with the data… and injected into the cmd.exe process, after which control passes to the library.’
- [T1055.012] Process Hollowing – Process Hollowing used to inject a decoded DLL into a process; ‘Using the Process Hollowing method, one of the .dll libraries decoded earlier from the fruit.png image is injected.’
- [T1574.001] Process Doppelgänging – Replacing the original process in memory with the malicious one; ‘Process Doppelgänging method is used…’
- [T1027] Obfuscated/Compressed Files and Information – The malware obscures payload data and modifies files to evade detection; ‘writes random data to the end of the python39.dll file… so the file differs from the original.’
- [T1027.001] Steganography – Hiding payloads inside images; ‘the fruit.png image uses the steganography method to hide two executables (.dll libraries) and the shellcode…’
- [T1547] Boot or Logon Autostart Execution – Adds the application to startup; ‘adds the python.exe app into the Autostart list of the Windows OS.’
- [T1053] Scheduled Task – Creates a system task to launch the app; ‘creates a task for launching the app in the system scheduler.’
- [T1562.001] Impair Defenses – Bypasses antivirus and hampers debugging during analysis; ‘the trojan tries to bypass anti-virus detection and prevent the trojan’s debugging process.’
Indicators of Compromise
- [File] context – python39.dll, python.exe, and other related components (idea.cfg, idea.mp3, fruit.png)
Read more: https://news.drweb.com/show/?i=14728&lng=en